2. Serving Dutch research & education
MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014
2
3. SURF as umbrella
• All ICT activities for Higher Education and Research in the
Netherlands are under the SURF umbrella
MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014
3
Scientific Computing
& Big Data
Commercial ICT
Products & Services
National Research &
Education Network
eScience Collaboration
and Tools
4. Where are these Id. Federations?
Source: REFEFDS map
pilot production
MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014
4
5. Federation essentials
• We need a working inter-federation framework
• Collaboration does not have boundaries
MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014
5
6. Federations work but…
CHALLENGES STILL AHEAD
MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014
6
ATTRIBUTE
AGGREGATION
CREDENTIAL
TRANSLATION
LEVELS OF
ASSURANCE
BRIDGING
COMMUNITIES
USER
FRIENDLINESS
ATTRIBUTE
RELEASE
HOMELESS USERS
NON-WEB-BROWSER
7. Developments in EU and beyond
• EU work on two tiers:
- National basis, led by the NRENs
- EU scale as part of the GEANT project, mostly the identity
and Trust research work and services
• Global scale:
- REFEDS
MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014
7
8. GEANT InAcademia
• To create a simple service to validate the affiliation
of a user (i.e. is this a student?)
• Use-cases for this:
- Web shops discounts
- “Free” access to some cloud services (i.e. Office 365, Apple,
etc)
- Validate affiliation on relevant social platforms
• Pilot service expected by end of 2014, early 2015
MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014
8
9. InAcademia Rationale
eduPersonAffiliationattribute
• The attribute within a federated login can be used
to validate membership of the academic
community, however:
- Joining a federation is a problem (policies and contracts)
- Implementing SAML and doing federation is though
- Inter-federation is even harder
- Up front cost, but no customers
• So, a lot of work, while the service only needs the
Affiliation — pretty low risk in the privacy spectrum
MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014
9
10. InAcademia — Workflow
• Service gets attributes directly from user (self asserted or social)
• Service queries a single “centralised” service — InAcademia
Simple Validation Service to confirm affiliation
• A well understood protocol can be used to query InAcademia
• Policy barrier for using InAcademia is low
• The user “proves” his affiliation at InAcademia which is under
control of the existing federations and NRENs
• InAcademia is connected to eduGAIN
• Authentication at home Identity Provider delivers requested
affiliation
• InAcademia interprets the affiliation and answers the requesting
service, but never directly delivers attribute values!
• User gets discount and service pays a small transaction fee
MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014
10
11. InAcademia - Benefits
• For Identity Providers
- SAML based, connected via eduGAIN
- Two profiles that have minimal ‘low risk’ attribute requirements
- No personal data stored at central service
- One connection with many services that are of high value to
users, but low effort for IdPs
• For Services
- OpenID Connect interface towards service, no SAML required
- No need to deal with (inter) federation
- Simplified policy, compatible with eduGAIN CoCo
- Little upfront cost, only pay small amount when transaction is
made
- One connection with many trusted Identity Providers
MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014
11
12. REFEDS
• REFEDS = Research and Education FEDERATIONS
- To that articulates the mutual needs of research and
education identity federations worldwide
- To offer best practices for R&E federations to ease inter-federation
- Supported by GEANT Association (formerly Terena)
- Open to anybody with an interest in using federated
credentials
MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014
12
https://refeds.org
13. REFEDS — Entity Categories
• Aim: to group federation entities that share
common criteria
- To ease the attribute release problems
- IdPs would release the same set of attributes to all SPs that
are in a category instead than negotiating with each of them
individually
• Two categories approved:
- Hide from Discovery
- Research and Scholarship
MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014
13
https://wiki.refeds.org/display/ENT/Entity-Categories+Home
14. REFEDS — SIRTFI
• A Security Incident Response Trust Framework for
Federated Identity — SIR-T-FI
• To define a process for expressing security incident
handling requirements as an assurance profile for
federations.
• Not strictly a REFEDS work, yet…
• A lot of interest in this area
MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014
14
https://wiki.refeds.org/display/GROUPS/SIRTFI